Podcast 6

OWASP Podcast Series #6

Recorded January 24, 2009

-  

Participants

- Brian Holyfield is a co-founder of Gotham Digital Science, where he helps clients detect, correct and prevent software security problems.  Alot of his time recently has been spent researching how to protect applications at run-time.
- Marcin Wielgoszewski is a security consultant based out of New York City and is the founder of the tssci-security.com blog.
- Andre Geronda is a web application security trainer in the Pheonix area. He is also a contributor for the tssci-security.com blog.
- Jim Manico is a Web Application Architect and Security Engineer for Aspect Security. 

Recap OWASP EU Summit

- Talked with Adobe rep
- Figured out the charter for ISWG
- OWASP Live CD http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
- Press coverage is hilarious
- OWASP Education Project http://www.owasp.org/index.php/Category:OWASP_Education_Project
- Clickjacking trends

Builder vs Breaker

- is this a real skill gap?
- easier to build/defend
- fixing stuff is boring (kuza55)

We've reached Application Security Tipping Point

- Chris Wysopal (Zero in a bit)
- Attacks are getting simpler (and we're barely fixing old vulns)
- Assets are moving more and more to the web
- New technology  =  make all same mistakes again
- Aspect never wanted to be NGS - but everything is broken
- Just this morning, hilarious SSO product bypass (thats all we'll say, not method/verb tampering)

Canonicalization is a nightmare

- mod_security turns off Unicode validation by default
- another commercial WAF bypassable by default with invalid UTF-8
- any byte-based validation is failure on the web (or unmanaged langs)

Securing WebGoat with mod_security

- Summer of Code project with Stephen Craig Evans
- very interesting Lua scripting capability
- stateful WAFing is possible with Lua
- Modsecurity and HTTPOnly